Page 1 of 2 12 LastLast
Results 1 to 10 of 13

Thread: iPad 3G security breach!

  1. #1
    Mod - iPad Forums RipplingHurst's Avatar
    Join Date
    Dec 2007
    Location
    Danville, CA
    Posts
    2,176

    iPad 3G security breach!

    Link: gawker.com/5559346/

    Apple's Worst Security Breach: 114,000 iPad Owners Exposed


    Apple has suffered another embarrassment. A security breach has exposed iPad owners including dozens of CEOs, military officials, and top politicians. They—and every other buyer of the wireless-enabled tablet—could be vulnerable to spam marketing and malicious hacking. The breach, which comes just weeks after an Apple employee lost an iPhone prototype in a bar, exposed the most exclusive email list on the planet, a collection of early-adopter iPad 3G subscribers that includes thousands of A-listers in finance, politics and media, from New York Times Co. CEO Janet Robinson to Diane Sawyer of ABC News to film mogul Harvey Weinstein to Mayor Michael Bloomberg. It even appears that White House Chief of Staff Rahm Emanuel's information was compromised.


    (...)



    The specific information exposed in the breach included subscribers' email addresses, coupled with an associated ID used to authenticate the subscriber on AT&T's network, known as the ICC-ID. ICC-ID stands for integrated circuit card identifier and is used to identify the SIM cards that associate a mobile device with a particular subscriber.
    AT&T closed the security hole in recent days, but the victims have been unaware, until now. For a device that has been shipping for barely two months, and in its wireless configuration for barely one, the compromise is a rattling development. The slip up appears to be AT&T's fault at the moment, and it will complicate the company's already fraught relationship with Apple. But it will also likely unnerve customers thinking of buying iPads that connect to AT&T's cellular network.
    It will also do so at a pivotal moment, with the iPad 3G early in its sales cycle. Brisk sales for the original wi-fi iPad had promised to turn the 3G model into a similar profit machine. But further questions about AT&T, already widely ridiculed for its bad service, are going to make people think twice about spending up to $830 and $25 per month on the iPad 3G.
    Breach details: Who did it, and how

    The subscriber data was obtained by a group calling itself Goatse Security. Though the group is steeped in off-the-wall, 4chan-style internet culture—its name is a reference to a famous gross-out Web picture—it has previously highlighted real security vulnerabilities in the Firefox and Safari Web browsers, and attracted media attention for finding what it said were flaws in Amazon's community ratings system.
    Goatse Security obtained its data through a script on AT&T's website, accessible to anyone on the internet. When provided with an ICC-ID as part of an HTTP request, the script would return the associated email address, in what was apparently intended to be an AJAX-style response within a Web application. The security researchers were able to guess a large swath of ICC IDs by looking at known iPad 3G ICC IDs, some of which are shown in pictures posted by gadget enthusiasts to Flickr and other internet sites, and which can also be obtained through friendly associates who own iPads and are willing to share their information, available within the iPad "Settings" application.
    To make AT&T's servers respond, the security group merely had to send an iPad-style "User agent" header in their Web request. Such header identify users' browser types to websites.
    The group wrote a PHP script to automate the harvesting of data. Since a member of the group tells us the script was shared with third-parties prior to AT&T closing the security hole, it's not known exactly whose hands the exploit fell into and what those people did with the names they obtained. A member tells us it's likely many accounts beyond the 114,000 have been compromised.
    Goatse Security notified AT&T of the breach and the security hole was closed.
    We were able to establish the authenticity of Goatse Security's data through two people who were listed among the 114,000 names. We sent these people the ICC ID contained in the document—and associated with the person's iPad 3G account—and asked them to verify in an iPad control panel that this was the correct ICC ID. It was.
    Victims: Some big names

    Then we began poring through the 114,067 entries and were stunned at the names we found. The iPad 3G, released less than two months ago, has clearly been snapped up by an elite array of early adopters.
    Within the military, we saw several devices registered to the domain of DARPA, the advanced research division of the Department of Defense, along with the major service branches. To wit: One affected individual was William Eldredge, who "commands the largest operational B-1 [strategic bomber] group in the U.S. Air Force."

    In the media and entertainment industries, affected accounts belonged to top executives at the New York Times Company, Dow Jones, Condé Nast, Viacom, Time Warner, News Corporation, HBO and Hearst.

    Within the tech industry, accounts were compromised at Google, Amazon, Microsoft and AOL, among others. In finance, accounts belonged to companies from Goldman Sachs to JP Morgan to Citigroup to Morgan Stanley, along with dozens of venture capital and private equity firms.
    In government, affected accounts included a GMail user who appears to be Rahm Emanuel and staffers in the Senate, House of Representatives, Department of Justice, NASA, Department of Homeland Security, FAA, FCC, and National Institute of Health, among others. Dozens of employees of the federal court system also appeared on the list.
    Uh, oh.

    Maybe we should blame AT&T more? However, Apple did chose AT&T, so...

  2. #2
    FLAC SFiorito's Avatar
    Join Date
    May 2004
    Posts
    1,365
    Apple has far more and greater security issues than AT&T leaking email addresses of iPad owners.
    EWF, HORM, MinLogon on XP.

    Zotac ION Atom N330, 2GB low-profile RAM, M3-ATX
    Win Embedded Std 2011 RC
    OCZ Vertex Turbo 30GB SSD
    Lilliput 629 Transflective, WRX Screen Mount
    BlueSoleil BT, i-Blue GM-2 GPS, DirectedHD Radio, Andrea Mic
    VoomPC 2

  3. #3
    Mod - iPad Forums RipplingHurst's Avatar
    Join Date
    Dec 2007
    Location
    Danville, CA
    Posts
    2,176
    That's about it? I don't think so. At the very least, it is known that

    a) those big shots do use those emails;
    b) they have an iPad 3G and use it;
    c) hack their iPad, you access those guys files, contacts, mails and calendars.

    That makes the iPad that more of a target than before. To know that the White House and big shot military and big decision makers do use that device is big, IMHO.

    Remember when Hilary, others, went to China and the NSA couldn't believe how much trouble they had with Chinese hackers trying to hack phones and laptops? If they got this in two months, what else they won't get in the next several years? Guess the iPad is going to be a big target for hackers worldwide now.

    I'm sure Gates is happy seeing resources dedicated to hack Office and IExplorer are going to be devoted now to iPad and Safari.

    Finally, we don't know if there is more to it that what was disclosed, maybe for fear of a full blown FBI/NSA investigation. Who knows? Rahm Emmanuel, Obama's chief advisor, has one. That can't be good.

    Hope Jobs is furious and leave AT&T for good. Surely there must be an escape clause for rank amateurism when dealing with confidential customer's info?

  4. #4
    FLAC SFiorito's Avatar
    Join Date
    May 2004
    Posts
    1,365
    people have been hacking "iOS" and Safari for years (and finding critical issues), nothing's new. Apple typically just blows the issues off and fixes them months later at their leisure because they're hip and, as Apple store idiots like to say, "Macs don't get hacked".

    that's what I meant. this was AT&T's issue not an Apple issue. Does it make those people targets? yeah, but military and govt officials shouldn't be using their private iPads to access official email or get on govt networks in the first place (or registering devices using their official email address!!).
    EWF, HORM, MinLogon on XP.

    Zotac ION Atom N330, 2GB low-profile RAM, M3-ATX
    Win Embedded Std 2011 RC
    OCZ Vertex Turbo 30GB SSD
    Lilliput 629 Transflective, WRX Screen Mount
    BlueSoleil BT, i-Blue GM-2 GPS, DirectedHD Radio, Andrea Mic
    VoomPC 2

  5. #5
    Constant Bitrate
    Join Date
    Oct 2007
    Posts
    164
    Goatse Security

  6. #6
    Admin. Linux loser.
    Auto Apps:loading...
    Bugbyte's Avatar
    Join Date
    Sep 2004
    Location
    Corning, NY
    Posts
    7,364
    Blog Entries
    2
    What am I missing here? They were ablevto obtain an email address for an iPad user, right? I guess that's how the tea party must have gotten my email and are spamming me.

    The hole is now closed, correct? Sooo....it can't be exploited anymore, correct?

    Aaand....I guess I ought to be scared that there may be other amateurish security measures, correct?
    Quote Originally Posted by ghettocruzer View Post
    I was gung ho on building a PC [until] just recently. However, between my new phone having internet and GPS and all...and this kit...Im starting to have trouble justfiying it haha.
    Want to:
    -Find out about the new iBug iPad install?
    -Find out about carPC's in just 5 minutes? View the Car PC 101 video

  7. #7
    Raw Wave
    Join Date
    Nov 2009
    Posts
    2,119
    TEMPEST lads, tempest!

    Meanwhile downunder they are on about Google's invasion (or breach) of privacy because their mobile mappers & data collection collected "payloads" from unsecured networks. (LOL!)
    In a stroke of brilliance, they compare that to how our security agencies "can't do that" without a warrant. Lookout echelon - the aussies are gonna get you!

    And they are quoting some multi-thousand dollar fine per individual breach.

    My prediction - it's a non-event. There is no "breach" etc.
    Certainly the legal action should fail.... but it may stick.

    Of course that PALES into insignificance with the story & data above.
    As the KGB used to say - let your fingers do the walking. (But they subcontracted that to foreigners....)
    LOL!

  8. #8
    Mod - iPad Forums RipplingHurst's Avatar
    Join Date
    Dec 2007
    Location
    Danville, CA
    Posts
    2,176
    Funny that. I've seen bigger indignation in another forum when people discovered their email, password and profile data were hacked and sold to spammers.


    I don't think there's much reason for a regular person - like most of us, including me, I believe - to be "scared" by this particular breach.

    Now the NSA, Secret Service and people generally responsible for the security of high level employees at big business and/or the White House and the Congress may think differently. There's an "iPad mania at the White House" (Washington Post)

    As a concerned citizen, we should be appalled at those who used their own personally identifiable email address for such purpose. The widespread use by those gizmos by people totally clueless about how to protect their privacy and information is a concern indeed.



    For me, I trust a lot of personal and financial information to AT&T, I expected they would do a better job protecting private data. For this reason I do think that this alone CAN be used by Apple to get rid of/get more from their deal with AT&T.


    Now if you think it's okay, nothing to see here, fine. I like to enjoy some modest privacy. If you don't, here's a thing, just stop posting under a nickname and switch to your real name on these forums, how about that?



  9. #9
    Raw Wave
    Join Date
    Nov 2009
    Posts
    2,119
    Alas the problem - the number of times "secure" data has been breached.
    Even credit card details from companies farming out to others....

    The pseudo-names don't matter (authorities get around that); it's the numbers.
    Not that I transact over the net except for 2 or 3 instances.

  10. #10
    Antenna Engineer
    Auto Apps:loading...
    optikalefx's Avatar
    Join Date
    Apr 2009
    Location
    Baltimore, Maryland, United States
    Posts
    831
    Blog Entries
    86
    I could have probably correctly guessed 20-30% of those important email addresses... Throw in their that they might be using an iPad. Now i have as much information as they do. Who's up for some hacking?

Page 1 of 2 12 LastLast

Similar Threads

  1. 2006 Subaru STi with 3G iPad
    By jr4284 in forum Apple iPad
    Replies: 15
    Last Post: 05-25-2011, 02:54 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •